Gluu Broker, using Passport with new OpenID Connect component

By: Amaury OIDC user 24 Apr 2018 at 4:49 a.m. CDT

5 Responses
Amaury OIDC gravatar
Hi, I'm trying to delegate the authentication from GLuu to another **OP** **O**penID Connect **P**rovider, whatever it is. Example : another Gluu instance, an OpenAM, a keycloak ... This Gluu instance will be concidered as an OIDC broker. I have in input the endpoints, a list of scope, clientID, clientSecret (and maybe a list of attributes if these are not the default ones) I got the "passport-openid-connect" node module, I created a file /opt/gluu/node/passport/server/auth/openidconnect.js Using the google file for example /opt/gluu/node/passport/server/auth/google.js i modified the file /opt/gluu/node/passport/server/auth/configureStrategies.js to handle the new node module but i can't get this to work. I tried to keep google and just changing the end points to match my OP but some google feature must be hardcoded somewhere question i have : - in the file "configureStrategies.js" here is my example : > if (data.passportStrategies.openidconnect) { > logger.log('info', 'OIDC manual Strategy details received'); > logger.sendMQMessage('info: OIDC manual Strategy details received'); > OICStrategy.setCredentials(data.passportStrategies.openidconnect); > } the openidconnect must be the name which is manually set in the Gluu interface ? it must be the provider value in the config object ? both ? - In the google example, in the google.js file, the function setCredentials = function(credentials) The credentials object contains all the value that were set in the Gluu interface like clientID and clientSecret ? - where should i put the list of scope ? If someone better than me already did this, i'd fancy his configuration file. I'll keep trying today. Thanks for reading me Amaury
Ubuntu 16.04
closed

Answers

By Thomas Gasmyr Mougang staff 24 Apr 2018 at 5:03 a.m. CDT

Copy
Thomas Gasmyr Mougang gravatar
Hi, We have inbound SAML documentation [here](https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/). Thanks.

By Amaury OIDC user 24 Apr 2018 at 8:24 a.m. CDT

Copy
Amaury OIDC gravatar
Hi Thomas, thanks a lot for your answer ! From what i read, this documentation seems to be a SAML brokering. The user does OIDC in GLuu then Gluu redirect the user to an IDP (a SAML identity provider) to do a SAML identification What i wish to do is forward the identification to another OpenID Connect Identity Provider (OP) Like OpenAM / Keycloak / another Gluu instance / Sign&Go ... If I missed something, apologies If you think it will help me to look at this passport code, i'll look into it If i was not clear enough in my requests, apologies Thanks again

By Amaury OIDC user 24 Apr 2018 at 9:52 a.m. CDT

Copy
Amaury OIDC gravatar
I found a configuration file /opt/gluu/node/passport/server/routes/index.js and there is a static list of a lot of Strategies, maybe adding mine there will make me progress. I'll update if it works Edit 1 : I always have an error, in the http calls, i see a query containing a SAML so i think some things still are on the default value /auth/saml/openidconnect/eyJhbG..... i'll keep searching Edit 2 I found another hardcoded file with the list of supported provider https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/webapp/auth/passport/passportlogin.xhtml > if(provider.match("facebook") || provider.match("twitter") || provider.match("linkedin") || provider.match("google") || provider.match("tumblr") || provider.match("yahoo") || provider.match("github") || provider.match("dropbox")){ > send_url = url_social; > } that's why i got a SAML url when that's not the case with the google auth Edit 3 I think i'm one step further I managed to get /passport/auth/openidconnect/eyJhbG.... instead of /passport/auth/saml/openidconnect/eyJhbG.... But i got redirected (in the logs) to /passport/login when i do the google auth, after /passport/auth/google i am redirected to the google login page. The error in the UI is > "Go back and register!" In a log file, i saw > org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:209) - No JSON object could be decoded Maybe it tried to parse my well-know file I don't know if it's related I saw some post with this error, but it does not seems related. I'll keep searching but i'm running out of options I'll update if i manage to make it work

By Thomas Gasmyr Mougang staff 27 Apr 2018 at 7:03 a.m. CDT

Copy
Thomas Gasmyr Mougang gravatar
Hi, Any update?

By Amaury OIDC user 27 Apr 2018 at 9 a.m. CDT

Copy
Amaury OIDC gravatar
Hi Thomas, I went a step further. I think it was a name missmatch, but i tried to modify so many things i can't be sure. If i ever make it work, i'll have to start over to have a clean documentation. I have some work to do on another OP before going back on this. So I managed to be redirected to my second OP ! However after i login, i get an infinite URL redirect : > > {"level":"info","message":"::ffff:127.0.0.1 - - [26/Apr/2018:14:56:15 +0000] \"GET /passport/auth/openidconnect/callback?session_state=16587c52-b812-499e-90d8-bc42723181e6&code=[the-code] HTTP/1.1\" **302** 0 \"-\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36\"","timestamp":"2018-04-26T14:56:15.610Z"} > > {"level":"info","message":"::ffff:127.0.0.1 - - [26/Apr/2018:14:56:15 +0000] \"GET /passport/auth/openidconnect/callback?session_state=16587c52-b812-499e-90d8-bc42723181e6&code=[the-code] HTTP/1.1\" **302** 0 \"-\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36\"","timestamp":"2018-04-26T14:56:15.619Z"} I got this redirect until my browser get bored Hopefully i'll have some time next week, i'll paste some additional logs if can give me a hint. I'm pretty sure it's a configuration issue. Thanks for asking

Post an answer